The Walt Disney Company started its program on Hackerone in March 2022. Last week, I reported 3 highs and 1 critical on their program. This is the story of an IDOR report due to improper authorization.
Authentication and Authorization
Authentication: When a user logs into a site or app, this is authentication.
Authorization: What level of access and things you can do after authentication, this is known as authorization.
As per AWS Security, Authentication is “Who Am I?” and Authorization is “What can you do?”
IDOR stands for Insecure Direct Object Reference. It arises due to access control implementation mistakes.
If I want to explain it to my grandmother, I would say suppose Shyam goes to the bank and gives a bank support form to find his details in the bank. Form contains an AccountNumber id which bank use to fetch details of their customers. Shyam instead of entering his AccountNumber in the form fills out Ram’s Account Number. Bank gave Ram’s account details without authorizing whether the user is Ram or Shyam.
The Walt Disney Company has so many assets in-scope including Pixar, Marvel, Disney, Hotstar, etc. As the bug is still not resolved, let’s call the vulnerable domain redacted.com.
Started doing reconnaissance on this domain I found a subdomain like sub.redacted.com, where self-registration was not there, but I found a critically vulnerable way to register myself (another writeup for the future).
I registered an account on sub.redacted.com and visited my Account Panel to see my User Details. I clicked on Edit Profile, edited some fields in the Profile, then looked at the request in the HTTP History on Burpsuite. Below are the details of the URL and request.
What is the number that grandmother has to change for editing some other user’s details? CustomerNumber. I changed CustomerNumber to another account’s CustomerNumber under my control.
Respect the program’s data integrity constraints. Do not modify other users’ profiles if some alternative is available. I have one more account, so I used this one’s CustomerNumber.
And, guess what. Account Details got changed just by changing the CustomerNumber.
The Walt Disney Company Reply